Originally Posted by MBybee
What hole does sudo open that having the root password doesn't also open? Sudo can be used in a secure environment in a similar fashion to a setuid root, but with a higher degree of safety (since only users/groups specifically allowed can perform specifically allowed functions).
Unless you mean that "ALL=(ALL:ALL) ALL" type stuff Ubuntu likes to use, which is perhaps just almost the same as logging in as root really. If I use sudo on a machine, it's a ton more restrictive for general users.
- having the root password -
That's a key requirement to logging in as root, which is removed when one uses sudo.
Additionally, it's very difficult to properly secure sudo such that it gives only the functionality desired. For instance, cp/tar/chown/chmod/etc. can all be used to completely own the system if the following is true:
1) I have login to an unprivileged user
2) I have that user's password (if required for the user to sudo)
3) that user is allowed to sudo any one of those commands as root (and they're not completely 100% spelled out)
sudo is VERY powerful, VERY confusing, and VERY often misconfigured. Give me any command where I can write a file as super-user, and your system is mine. Give me any command where I can leak information reserved to a super-user, and your system will probably be mine. And in both of these cases, the audit trail can't even be trusted (unless you log it off the box... you DO log to a separate machine, right?).
Please note: I don't sit on one side or the other of this debate. I know what I use, and I am comfortable with it. There are tradeoffs that will always apply, and make some security objectives unattainable, while providing others. The best you can do is lock down what you can lock down, mitigate what you can mitigate, and keep a vigilant eye towards your systems for any type of suspicious activity. But that's all common knowledge (I think).